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We show how to implement cryptographic primitives based on the realistic assumption that quan- 
tum storage of qubits is noisy. We thereby consider individual-storage attacks, i.e. the dishonest 
party attempts to store each incoming qubit separately. Our model is similar to the model of 
bounded-quantum storage, however, we consider an explicit noise model inspired by present-day 
technology. To illustrate the power of this new model, we show that a protocol for oblivious transfer 
(OT) is secure for any amount of quantum-storage noise, as long as honest players can perform 
perfect quantum operations. Our model also allows the security of protocols that cope with noise in 
the operations of the honest players and achieve more advanced tasks such as secure identification. 



Traditional cryptography is concerned with the secure 
and reliable transmission of messages. With the advent of 
widespread electronic communication new cryptographic 
tasks have become increasingly important. Examples 
of such tasks are secure identification, electronic voting, 
online auctions, contract signing and other applications 
where the protocol participants do not necessarily trust 
each other. It is well-known that almost all these inter- 
esting tasks are impossible to realize without any restric- 
tions on the participating players, neither classically nor 
with the help of quantum communication [5] . It is there- 
fore an important task to come up with a cryptographic 
model which restricts the capabilities of adversarial play- 
ers and in which these tasks become feasible. It turns out 
that all such two-party protocols can be based on a sim- 
ple primitive called 1-2 Oblivious Transfer jT] (1-2 OT), 
first introduced in j3jlH[5]. Hence, 1-2 OT is commonly 
used to provide a "proof of concept" for the universal 
power of a new model. In 1-2 OT, the sender Alice starts 
off with two bit strings So and Si , and the receiver Bob 
holds a choice bit C. The protocol allows Bob to re- 
trieve Sc in such a way that Alice does not learn any 
information about C (thus, Bob cannot simply ask for 
Sc)- At the same time, Alice must be ensured that Bob 
only learns Sc, and no information about the other string 
S%-c (thus, Alice cannot simply send him both Sq and 
Si). A 1-2 OT protocol is called unconditionally secure 
when neither Alice nor Bob can break these conditions, 
even when given unlimited resources. 

In this letter, we propose a cryptographic model based 
on current practical and near-future technical limita- 
tions, namely that quantum storage is noisy. Thus the 
presence of noise, the very problem that makes it so 
hard to implement a quantum computer, can actually 
be turned to our advantage. Recently it was shown that 
secure OT is possible when the receiver Bob has a lim- 
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ited amount of quantum memory |131 114] at his disposal. 
Within this 'bounded-quantum-storage model' OT can 
be implemented securely as long as a dishonest receiver 
Bob can store at most n/4— 0(1) qubits coherently, where 
n is the number of qubits transmitted from Alice to Bob. 
This approach assumes an explicit limit on the physical 
number of qubits (or more precisely, on the rank of the 
adversary's quantum state). However, at present we do 
not know of any practical physical situation which en- 
forces such a limit for quantum information. We there- 
fore propose an alternative model of noisy quantum stor- 
age inspired by present-day physical implementations: 
We require no explicit memory bound, but we assume 
that any qubit that is placed into quantum storage un- 
dergoes a certain amount of noise. The advantage of our 
model is that we can evaluate the security parameters of 
a protocol explicitly in terms of the noise. In this let- 
ter, we show that the OT protocol from [T3] is secure in 
our new model. This simple OT protocol could be im- 
plemented using photonic qubits (using polarization or 
phase-encoding) with standard BB84 quantum key dis- 
tribution |15l 116] hardware, only with different classical 
post-processing. 

We analyze the case where the adversary performs 
individual-storage attacks. More precisely, Bob may 
choose to (partially) measure (a subset of) his qubits 
immediately upon reception using an error-free product 
measurement. In addition he can store each incoming 
qubit, or post-measurement state from a prior partial 
measurement, separately and wait until he gets addi- 
tional information from Alice (at Step 3 in Protocol 1). 
Once he obtained the additional information he may per- 
form an arbitrary coherent measurement on his stored 
qubits using the stored classical data. We thereby assume 
that qubit undergoes some noise while in storage, and 
we also assume that the noise acts independently on each 
qubit. In the following, we use the super-operator Si to 
denote the combined channel given by Bob's initial (par- 
tial) measurement and the noise. Practically, noise can 
arise as a result of transferring the qubit onto a different 
physical carrier, such as an atomic ensemble or atomic 
state for example, or into an error-correcting code with 
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fidelity less than 1. In addition, the (encoded) qubit will 
undergo noise once it has been transferred into 'storage'. 
Hence, the quantum operation Si in any real world set- 
ting necessarily includes some form of noise. 

First, we show that for any initial measurement, and 
any noisy superoperator Si the 1-2 OT protocol is secure 
if the honest participants can perform perfect noise-free 
quantum operations. As an explicit example we consider 
the case of depolarizing noise during storage. In partic- 
ular, we can show the following all-or-nothing result: if 
Bob's storage noise is above a certain threshold, his op- 
timal cheating strategy is to perform a measurement in 
the so-called Breidbart basis. On the other hand, if the 
noise level is below the threshold, he is best off storing 
each qubit as is. 

Second, we consider a more practical setting using pho- 
tonic qubits where the honest participants experience 
noise themselves: their quantum operations may be in- 
accurate or noisy, they may use weak laser pulses in- 
stead of single photon sources, and qubits may undergo 
decoherence during transmission. Note, however, that 
unlike in QKD, we typically want to execute such pro- 
tocols over very short distances (for example in banking 
applications) where the depolarization rate during trans- 
mission is very low. We give a practical OT-protocol that 
is a small modification of the perfect protocol. It allows 
us to to deal with erasure errors (i.e. photon loss) sep- 
arately. We show how to derive trade-offs between the 
amount of storage noise, the amount of noise for the op- 
erations performed by the honest participants, and the 
security of the protocol. 

Finally, we briefly discuss the security of our protocol 
from the future perspective of fault-tolerant quantum 
computation with photonic qubits. We also discuss 
the issue of analyzing fully coherent attacks for our 
protocol. Indeed, there is a close relation between 
the OT protocol and BB84 quantum key distribu- 
tion. Our security analysis can in principle be carried 
over to obtain a secure identification scheme in the 
noisy-quantum-storage model analogous to |17j . This 
scheme achieves password-based identification and is 
of particular practical relevance as it can be used for 
banking applications. 



A. Related work 

Precursors of the idea of basing cryptographic security 
on storage-noise are already present in [TJ, but no rig- 
orous analysis was carried through in that paper. Fur- 
thermore, it was pointed out in |18| 119] how the original 
bounded-quantum-storage analysis applies in the case of 
noise levels which are so large that the rank of a dishonest 
player's quantum storage is reduced to n/4. In contrast, 
we are able to give an explicit security trade-off even for 
small amounts of noise. We note that our security proof 
does not exploit the noise in the communication channel 



(which has been done in the classical setting to achieve 
cryptographic tasks, see e.g. (2Q1 El]), but is solely based 
on the fact that the dishonest receiver's quantum storage 
is noisy. A model based on classical noisy storage is akin 
to the setting of a classical noisy channel, if the opera- 
tions are noisy, or the classical bounded-storage model, 
both of which are difficult to enforce in practise. Another 
technical limitation has been considered in |22j where a 
bit-commitment scheme was shown secure under the as- 
sumption that the dishonest committer can only measure 
a limited amount of qubits coherently. Our analysis dif- 
fers in that we can in fact allow any coherent destructive 
measurement at the end of the protocol. 

I. DEFINITIONS AND TOOLS 

We start by introducing some tools, definitions and 
technical lemmas. To define the security of OT we need 
to express what it means for a dishonest quantum player 
not to gain any information. Let pxE be a state that 
is part classical, part quantum, i.e. a cq-state pxe = 
J2xex Px{x)\x){x\ ® p x E . Here, X is a classical random 
variable distributed over the finite set X according to 
distribution Px- The non-uniformity of X given pE = 
J2 X Px{x)p x E is defined as 

d{X\ PE ) := ^\\l/\X\®p E -Y,Px{x)\x){x\®p B E \\ ia , (1) 

X 

where ||A|| tr = TV At A Intuitively, if d(X\p E ) < e 
the distribution of X is e-closc to uniform even given 
Pe, i.e., pe gives hardly any information about X. A 
simple property of the non-uniformity which follows from 
its definition is that 

d(X\p ED ) = d(X\p E ) (2) 

for any cq-state of the form pxed = Pxe ® Pd- 

We prove the security of a randomized version of OT. 
In such a protocol, Alice does not choose her input strings 
herself, but instead receives two strings So, Si € {0,l} f 
chosen uniformly at random by the protocol. Random- 
ized OT (ROT) can easily be converted into OT: after 
the ROT protocol is completed, Alice uses her strings 
So, Si obtained from ROT as one-time pads to encrypt 
her original inputs So and Si, i.e. she sends an additional 
classical message consisting of So ©So and Si ©Si to Bob. 
Bob can retrieve the message of his choice by computing 
Sc © (Sc © Sc) = Sc- He stays completely ignorant 
about the other message Si_c since he is ignorant about 
S\—c- The security of a quantum protocol implementing 
ROT is formally defined in [U QJ]: 

Definition 1 An e-secure 1-2 ROT 1 is a protocol be- 
tween Alice and Bob, where Bob has input C S {0,1}, 
and Alice has no input. For any distribution of C: 

• (Correctness) If both parties are honest, Alice gets 
output So, Si S {0,1}^ and Bob learns Y = Sc 
except with probability e. 
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• (Receiver-security) If Bob is honest and obtains 
output Y, then for any cheating strategy of Alice 
resulting in her state pa, there exist random vari- 
ables Sq and S[ such that Pr[Y = S' c ] > 1 — e and 
C is independent of S' a ,S[ and pa- 

• (Sender-security) If Alice is honest, then for any 
cheating strategy of Bob resulting in his state pB, 
there exists a random variable C E {0, 1} such that 
d{S 1 -c>\S c >C l p B )<e. 

The OT protocol makes use of two-universal hash func- 
tions. These hash functions are used for privacy amplifi- 
cation similar as in quantum key distribution. A class T 
of functions / : {0, 1}™ — > {0, \} 1 is called two-universal 
if for all x ^ y E {0, 1}™ and / E T chosen uniformly 
at random from J 7 , we have Pr[/(x) = f(y)} < 2~ e . For 
example, the set of all affine functions from {0, 1}™ to 
{0,1} £ is two-universal [23 . The following theorem ex- 
presses how hash functions can increase the privacy of a 
random variable X given a quantum adversary holding 
Pe and the function F: 

Theorem 1 (Th. 5.5.1 in [24] (see also [23])) Let 

J- be a class of two-universal hash functions from {0, l} n 
to {0, 1}^. Let F be a random variable that is uniformly 
and independently distributed over T , and let pxe be a 
cq-state. Then, 

d(F(X)\F,p E ) < 2 -HH2(x\ PE )-i)-2^ 

where .ffaC'l") denotes the conditional collision entropy 
defined in fEfl as H 2 (X\p E ) := - log Tr((I <g> p E ^ )pxe) 2 
of the cq-state px e ■ 

In our application we will make use of a simplified form 
of this theorem which follows directly from |26[ Lemma 
1] . The non-uniformity in the theorem above is bounded 
by the average success probability of guessing x given the 
state pe- 

Lemma 1 For a measurement M with POVM elements 
{M x } x& x letPylx = TrAf^pf; the probability of outputting 
guess y given p x E . Then P g (X\p E ) = sup M p x(x)p^ x 
is the maximal average success probability of guessing x E 
X given the reduced state pe of the cq-state pxe- We 
have 

d(F(X)\F,p E ) < 2l- 1 ^P g (X\p E ). 

If we have an additional k bits of classical information 
D about X , we can bound 

d(F(X)\F,D, PE )<2^- 1 ^P g (X\p E ). (3) 

The following lemma is proven in the Appendix and 
states that the optimal strategy to guess X = x E {0, 1}" 
given individual quantum information about the bits of 
X is to measure each register individually. 



Lemma 2 Let pxe be a cq-state with uniformly dis- 
tributed X = x S {0, 1}" and p% = p E \ ®, . .<8p B ™ . Then 
the maximum probability of guessing x given state p E is 
P g (X\p E ) — Tl™ =1 P g (Xi\p Ei ) , which can be achieved by 
measuring each register separately. 

The last tool we need is an uncertainty relation for 
noisy channels and measurements. Let <7o,+ = |0)(0|, 
tr 1>+ = CT ,x = l+X+l and <n,x = | — >< — | de- 

note the BB84-states corresponding to the encoding of 
a bit z 6 {0,1} into basis b E {+, x} (computational 
resp. Hadamard basis). Let cr + = (oo,+ + (J i.+)/2 
and er x = (<7o,x + fi,x)/2- Consider the state S{a z ^) 
for some super-operator S. Note that P g (X\S(ab)) (see 
Lemma [2]) denotes the maximal average success proba- 
bility for guessing a uniformly distributed X when b = + 
or b = x . An uncertainty relation for such success prob- 
abilities can be stated as 

P g (X\S(a+)) ■ P g (X\S(a x )) < A(5) 2 , (4) 

where A is a function from the set of superoperators to 
the real numbers. For example, when S is a quantum 
measurement M. mapping the state a z _b onto purely clas- 
sical information it can be argued (e.g. by using a purifi- 
cation argument and Corollary 4.15 in [T5]) that A(A4) = 
i(l + 2- 1 ' 2 ) which can be achieved by a measurement 
in the Breidbart basis, where the Breidbart basis is given 
by {|0) B , \1) b } with \Q) B = cos(7r/8)|0)+sin(7r/8)|l) and 
|1>b =sin(vr/8)|0) - cos(7r/8)|l). 

It is clear that for a unitary superoperator U we have 
A(U) 2 = 1 which can be achieved. It is not hard to show 
that (see the proof in the Appendix) 

Lemma 3 The only superoperators S: C2 — > for 
which 

P g (X\S(a+))-P g (X\S(a x ))=l, (5) 
are reversible operations. 

II. PROTOCOL AND ANALYSIS 

We use <Er to denote the uniform choice of an element 
from a set. We further use x\q- to denote the string x = 
x\ , . . . , x n restricted to the bits indexed by the set T C 
{1, . . . , n}. For convenience, we take {+, x} instead of 
{0, 1} as domain of Bob's choice bit C and denote by C 
the bit different from C. 

Protocol 1 Q14J) 1-2 ROT^iC^T) 

1. Alice picks X Er {0, 1}" and 9 E R {+, x}". Let 
T b = {i I Gi = b} for b £ {+, x}. At time t = 0, 
she sends ax 1 ,Bi ® ■ ■ ■ ® cXn,®,, t° Bob. 

2. Bob measures all qubits in the basis corresponding 
to his choice bit C E {+, x}. This yields outcome 
X' E {0,1}™. 



3. Alice picks two hash functions F + , F x T , where 
T is a class of two-universal hash functions. At 
time t — T, she sends X + ,X X , F + ,F X to Bob. Alice 
outputs S+ = F + (X\ I+ ) and S x = F x (X {Ix ) gZf. 



4- Bob outputs Sc — Fc{XL- ). 



remaining qubit individually and hence we obtain 



A. Analysis 



We first show that this protocol is secure according to 
Definition Q] 

(i) correctness: It is clear that the protocol is correct. 
Bob can determine the string X\x c (except with negligi- 
ble probability 2~™ the set Tq is non-empty) and hence 
obtains Sc- 

(ii) security against dishonest Alice: this holds in the 
same way as shown in [14]. As the protocol is non- 
interactive, Alice never receives any information from 
Bob at all, and Alice's input strings can be extracted 
by letting her interact with an unbounded receiver. 

(iii) security against dishonest Bob: Our goal is to 
show that there exists a C G {+, x} such that Bob 
is completely ignorant about S^y. In our model Bob's 
collective storage cheating strategy can be described by 
some super-operator S = (S>™=i that is applied on the 
qubits between the time they arrive at Bob's and the time 
T that Alice sends the classical information. We define 
the choice bit C as a fixed function of S. Formally, we 
set C = + if nlLi P g (X i \S i (a + )) > nlU P S (X^(<7 X )) 
and C = x otherwise. 



Due to the uncertainty relation for each Si (from 



Eq. 



it then holds that J], P g( x i\^( (T c 7 ')) ^ 



A(Sj) < (A max ) n where A max : 
will be used in the proof below. 



maxiA(Si). This 



In the remainder of this section, we show that the non- 
uniformity <5 SCC := d{S-jjr\Sc'C' pb) is negligible in n for 
collective attacks. Here ps is the complete quantum 
state of Bob's lab at the end of the protocol including 
the classical information T + ,T X , F + , F x he got from Alice 
and his quantum information Si(&x t ,&i)- Express- 
ing the non-uniformity in terms of the trace-distance al- 
lows us to observe that <5 SCC = 2~ n J2ee{+ x}™ ^("%H® = 
9,Sc'C'pb)- Now, for fixed 6 = 9, it is clear from 
the construction that Sc,C, Fc> and ® ieIc , Si(axi,c) 
are independent of = F^rr(X\x-^ T ) and we can use 
Eq. ([2]). Hence, one can bound the non-uniformity as in 
Lcmma[T] i.e. by the square-root of the probability of cor- 
rectly guessing X\ % given the state <S>iex— ^ii a Xi c 7 )- 

Lemma[2]tells us that to guess X, Bob can measure each 



ee{+,x}" y iei w 



25' 



\ 



2-«TJ(l + P,(X I |5,(<r ! y))), 



where we used the concavity of the square-root function 
in the last inequality. Lemma [4] together with the bound 
Y\ i P g (Xi\Si(o-(y)) < (A max )™ lets us conclude that 

^sec _ ^ l^raaxj 

Lemma |3] shows that for essentially any noisy super- 
operator A (S) < 1. This shows that for any collective 
attacks there exists an n which yields arbitrarily high 
security. 



B. Example 

Let us now consider the security in an explicit example: 
a noisy depolarizing channel. In order to explicitly bound 
A(6>i) we should allow for intermediate strategies of Bob 
in which he partially measures the incoming qubits leav- 
ing some quantum information undergoing depolarizing 
noise. To model this noise we let Si — Af o Vi, where 
Vi is any noiseless quantum operation of Bob's choosing 
from one qubit to one qubit that generates some clas- 
sical output. For example, Vi could be a partial mea- 
surement providing Bob with some classical information 
and a slightly disturbed quantum state, or just a unitary 
operation. Let 



Af(p) := rp+ (1 - r) 



I 



be the fixed depolarizing 'quantum storage' channel that 
Bob cannot influence, (see Figure [T]) 

To determine 5 sec , we have to find an uncertainty re- 
lation similar to Eq. Q by optimizing over all possible 
partial measurements Vi 



inax A(SiY 



max P g (X\Si(a+)) 



P g (X\Si(a x )). 



We solve this problem for depolarizing noise using the 
symmetries inherent in our problem. In Appendix [B] we 
prove the following. 

Theorem 2 Let Af be the depolarizing channel and let 
maxg i A (5^) be defined as above. Then 



inax A (Si) 



5 





quantum^ 








Measure 


7? 






-► 



>x„ 



basis informatio 



FIG. 1: Bob performs a partial measurement Vi, followed by 
noise TV, and outputs a guess bit x g depending on his classical 
measurement outcome, the remaining quantum state, and the 
additional basis information. 



Our result shows that for r < l/v2 a direct measurement 
A4 in the Breidbart basis is the best attack Bob can 
perform. For this measurement, we have A(A4) = 1/2 + 
l/(2v / 2). If the depolarizing noise is low (r > 1/^/2), 
then our result states that the best strategy for Bob is to 
simply store the qubit as is. 



III. PRACTICAL OBLIVIOUS TRANSFER 

In this section, we prove the security of a ROT protocol 
that is robust against noise for the honest parties. Our 
protocol is thereby a small modification of the protocol 
considered in [TH] . Note that for our analysis, we have to 
assume a worst-case scenario where a dishonest receiver 
Bob has access to a perfect noise-free quantum channel 
and only experiences noise during storage. First, we con- 
sider erasure noise (in practice corresponding to photon 
loss) during preparation, transmission and measurement 
of the qubits by the honest parties. Let 1 — p crasc be the 
total probability for an honest Bob to measure and detect 
a photon in the {+, x} basis given that an honest Alice 
prepares a weak pulse in her lab and sends it to him. 
The probability p Gra se is determined among others by the 
mean photon number in the pulse, the loss on the chan- 
nel and the quantum efficiency of the detector. In our 
protocol we assume that the (honest) erasure rate p cra sc 
is independent of whether qubits were encoded or mea- 
sured in the +- or x-basis. This assumption is necessary 
to guarantee the correctness and the security against a 
cheating Alice only. Fortunately, this assumption is well 
matched with physical capabilities. 

Any other noise source during preparation, transmis- 
sion and measurement can be characterized as an effec- 
tive classical noisy channel resulting in the output bits 
X 1 that Bob obtains at Step [3] of Protocol [2] For sim- 
plicity, we model this compound noise source as a clas- 
sical binary symmetric channel acting independently on 
each bit of X. Typical noise sources for polarization- 
encoded qubits are depolarization during transmission, 
dark counts in Bob's detector and misaligned polarizing 
beam-splitters. Let the effective bit-error probability of 



this binary symmetric channel be p C rror < 1/2. 

Before engaging in the actual protocol, Alice and Bob 
agree on the system parameters p eva , SB and p rror similarly 
to Step 1 of the protocol in [7j. Furthermore, they agree 
on a family {C„} of linear error correcting codes of length 
n capable of efficiently correcting n-p mm errors. For any 
string x € {0, 1}™, error correction is done by sending the 
syndrome information syn(x) to Bob from which he can 
correctly recover x if he holds an output x' € {0, l} n 
obtained by flipping each bit of x independently with 
probability p C nor- It is known that for large enough n, 
the code C n can be chosen such that its rate is arbitrarily 
close to 1 — /lienor) and the syndrome length (the num- 
ber of parity check bits) are asymptotically bounded by 
\syn{x)\ < h(p CIlOT )n [27], where h(p crror ) is the binary 
Shannon entropy. We assume the players have synchro- 
nized clocks. In each time slot, Alice sends one qubit 
(laser pulse) to Bob. 

Protocol 2 Noise-Protected Photonic 1-2 ROT°(C,T) 

1. Alice picks X € R {0, 1}™ and 6 E R {+, x} n . 

2. For i — 1, . . . ,n: In time slot t — i, Alice sends 
CXi^i a s a phase- or polarization- encoded weak 
pulse of light to Bob. 

3. In each time slot, Bob measures the incoming qubit 
in the basis corresponding to his choice bit C <E 
{+, x} and records whether he detects a photon or 
not. He obtains some bit-string X' € {0, l} m with 
to < n. 

4- Bob reports back to Alice in which time slots he 
received a qubit. Alice restricts herself to the set of 
m < n bits that Bob did not report as missing. Let 

this Set of qubits be .S'rcmain With ISVemainl = m- 

5. Let J b = {i S S'rcmain | ©i = b} for b S {+, x} and 
let rrif, = Alice aborts the protocol if either m + 
or m x < (1 — p erase )ro/2 — 0(^/ri). If this is not the 
case, Alice picks two two-universal hash functions 
F + ,F X €fl T. At time t = n + T, Alice sends 
2 + ,2 x , F + ,F X , and the syndromes syn(X\ I+ ) and 
syn{X\x x ) according to codes of appropriate length 
mf, to Bob. Alice outputs S+ = F + (X\j + ) and 
S x = F x (X\z x ). 

6. Bob uses syn{X\j c ) to correct the errors on his out- 
put Xlj-^ . He obtains the corrected bit-string X cor 
and outputs S' c = Fc(X cor ). 

Let us consider the security and correctness of this 
modified protocol. 

(i) correctness: By assumption, p er&sc is independent of 
the basis in which Alice sent the qubits. Thus, SVemain 
is with high probability a random subset of m « (1 — 
Perase)" ± 0{y/n) qubits independent of the value of O. 
This implies that in Step [5] the protocol is aborted with 
a probability exponentially small in to, and hence in n. 
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The codes are chosen such that Bob can decode except 
with negligible probability. These facts imply that if both 
parties are honest the protocol is correct (i.e. Sc = S' c ) 
with exponentially small probability of error. 

(ii) security against dishonest Alice: Even though in this 
scenario Bob does communicate to Alice, the information 
stating which qubits were erased is (by assumption) inde- 
pendent of the basis in which he measured and thus of his 
choice bit C. Hence Alice does not learn anything about 
his choice bit C . Her input strings can be extracted as 
in Protocol 1. 

(iii) security against dishonest Bob: First of all, we note 
that Bob can always make Alice abort the protocol by re- 
porting back an insufficient number of received qubits. If 
this is not the case, then we define C as in the analysis of 
Protocol 1 and we need to bound the non-uniformity <5 SGC 
as before. Let us for simplicity assume that mj = m/2 
(this is true with high probability modulo 0(^/n) factors 
which become negligible in the security for large n) with 
m f» (1 — Poraso)^ We now follow through the same anal- 
ysis, where we restrict ourselves to the set of remaining 
qubits. We first follow through the same steps simpli- 
fying the non-uniformity using that the total attack su- 
peroperator S is a product of superoperators. Then we 
use the bound in Lemma [I] for each 6 G {+, x}™ where 
we now have to condition on the additional information 
syn(A|j_) which is mh(jp c „ m ) /2 bits long. Using Eq. 
([3]) and following identical steps in the remainder of the 
proof implies 

From this expression it is clear that the security depends 
crucially on the value of A max versus the binary entropy 
/i(Perror)- The trade-off in our bound is not extremely 
favorable for security as we will see. 

A. Depolarizing noise 

We first consider again the security tradeoff when 
Bob's storage is affected by depolarizing noise, and ad- 
ditionally the channel itself is subject to depolarizing 
noise. Let us assume that r < l/\/2 for the storage 
noise. According to Theorem [2j Bob's optimal attack 
is to measure each qubit individually in the Breidbart 
basis. In this case, our protocol is secure as long as 
MPcrror) < 21o g(s + ^73 ) log(3/4) . Hence, we require 
that p e rror ~ 0.029. This puts a strong restriction on the 
noise rate of the honest protocol. Yet, since our proto- 
cols are particularly interesting at short distances (e.g. 
in the case of secure identification), we can imagine very 
short free-space implementations such that depolariza- 
tion noise during transmission is negligible and the main 
depolarization noise source is due to Bob's honest mea- 
surements. 

In the near-future we may anticipate that storage is 
better than direct measurement when good photonic 




FIG. 2: ft((l-ar)/2)/4+log(±±^)lag(4/3)/2, where we only 
show the region below 0, i.e., where security can be attained. 

memories become available ([251 HH1 EM El 131 [S3])- 

However, we are free in our protocol to stretch the wait- 
ing time T between Bob's reception of the qubits and his 
reception of the classical basis information, say, to sec- 
onds, which means that one has to consider the overall 
noise rate on a qubit that is stored for seconds. Clearly, 
there is a strict tradeoff between the noise p e rror on the 
channel experienced by the honest parties, and the noise 
experienced by dishonest Bob. 

For r > 1/V2 (when storage is better than the Breid- 
bart attack) we also obtain a tradeoff involving r. Sup- 
pose that the qubits in the honest protocol are also sub- 
jected to depolarizing noise at rate 1 — r^oncst- The effec- 
tive classical error rate for a depolarizing channel is then 
simply terror = (1 — '"honest) /2. Thus we can consider 
when the function /i(p error )/4 + log(^4 2: )log(4/3)/2 goes 
below 0. If we assume that rh on cst — ar < 1, for some 
scaling factor 1 < a < 1/r (i.e., the honest party never 
has more noise than the dishonest party), we obtain a 
clear tradeoff between a and r depicted in Figure [2] 

B. Other Attacks 

In a practical setting, other attacks may be possible 
which are not captured by the model we used when an- 
alyzing depolarizing noise. For example, attacks that 
relate to the protocol being implemented with weak co- 
herent states. We discuss the affect of such practical 
problems in this section, but do not claim to prove secu- 
rity of the practical protocol in full generality Instead, 
we merely discuss several practical attacks that a dishon- 
est Bob may mount. 

Let us consider the security threat that comes from 
using coherent weak laser pulses. For a mean photon 
number fi, the probability to have more than one pho- 
ton in the beam is P(k > 1) » fi/2 [IB] , where k is the 
number of photons and P(k) is the probability of k pho- 
tons in the beam with mean photon number /j,. In prin- 
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ciple, this implies that Bob can measure in both bases 
with probability fi/2 (and he knows when this occurs). 
If with remaining probability 1 — /i/2 he is able to do 
a measurement in the Breidbart basis, then for such at- 
tack we have A bm = /x/2 + (1 - n/2)(l/2 + 1/(2^2)) = 
1/2 + 1/(272) + M(l - l/\/2)/4. 

Another attack is the following. Upon reception of 
his qubits Bob tries to beam-split each incoming pulse 
and measure the outgoing modes in both bases. In 
case he does not succeed he would like to declare era- 
sures. In Step 5 of the protocol Alice aborts the pro- 
tocol when Bob declares too many erasures: in princi- 
ple, this can prevent Bob from making the protocol com- 
pletely unsafe with this attack. Such a beam-splitting 
attack does however put another constraint on the re- 
gion of error rates where one can have security using 
Eq. Let us sketch the security bound for this par- 
ticular attack. Among the m = (1 — p craS c) n remaining 
time slots, Bob will have P{k > l)f>t>camspiit"- ~ n/i/4 
slots where he gets two or more photons and measures 
them successfully in both bases (assuming perfect detec- 
tor efficiency), where Pbeamspiit — 1/2- For these slots, 
A = 1 so they do not enter the security bound. For 
the n(l — Perasc — m/4) remaining time slots, he is in a 
situation similar to before. Let us assume that the era- 
sure rate p erase » P(k = 0) + P(k > l)p no detect where 
Pnodetect is the probability that Bob does not detect a 
photon with his devices. Since the probability of emit- 
ting a very large number of photons is small, we approx- 
imate the true value by letting p no detect be independent 
of k. We have P(0) = w 1 — /x for small \x and thus 
n((l - Perase) - /V 4 ) = n^(p dote ct - 1/4). In principle, 
this leads to a bound as in Eq. ([6]). However, security 
remains to be analyzed rigorously, and one needs to de- 
termine Bob's optimal cheating strategy. If single photon 
sources were used, such attacks could be excluded. 

In our analysis, we assumed that Alice and Bob can 
reliably establish a bound on p ora so- However p e rase may 
contain a sizable contribution from the quantum effi- 
ciency of the detectors used by Bob and a dishonest re- 
ceiver may cheat by using better detectors than he tells 
Alice during the error estimation process. For example, 
in the extreme case he could convince Alice that his de- 
vices are so bad that of the n inputs he can detect a 
photon only in fin/A cases. If instead he has perfect 
devices and measures two photons successfully in both 
bases pro/4 times, he made the protocol completely in- 
secure. Thus we assume in our protocol that Alice can 
establish a reliable and reasonable lower bound on p e rase- 

For current and near-future implementations we note 
that an important practical limitation on Bob's attacks 
is the following. Since a photon measurement is destruc- 
tive with current technology, Bob cannot store his qubits 
while at the same time reporting correctly which ones 
were erased. So if Bob wants to store his qubits, he has to 
guess which qubits were erased. This implies that among 
the set of qubits in the set approximately Perase^fc are 
in fact erased. For an erasure channel with rate p C rase it 



is simple to show that A(<S clasc ) = 1— p erase /2. Since era- 
sure rates can easily be high (due to small fi and other 
sources of photon loss), say of O(10 _1 ), this limits the 
threat of a storage attack within the current technology 
setting. 



C. Fault-tolerant computation 

Let us discuss the long-term security when fault- 
tolerant photonic computation would become available 
(with the KLM scheme [53] for example). In such a sce- 
nario dishonest Bob can encode the incoming quantum 
information into a fault-tolerant quantum memory. This 
implies that in storage, the effective noise rate can be 
made arbitrarily small. However, the encoding of a sin- 
gle unknown state is not a fault-tolerant quantum op- 
eration: already the encoding process introduces errors 
whose rates cannot be made arbitrarily small with in- 
creasing effort. Hence, even in the presence of a quan- 
tum computer, there is a residual storage noise rate due 
to the unprotected encoding operation. The question of 
security then becomes a question of a trade-off between 
this residual noise rate versus the intrinsic noise rate. 
Our current security bound is too weak though, to show 
security in such scenario. 



IV. CONCLUSION 

We have determined security bounds for a perfect and 
a practical ROT protocol given collective storage attacks 
by Bob. Ideally, we would like to be able to show secu- 
rity against general coherent noisy attacks. The problem 
with analyzing a coherent attack of Bob described by 
some super-operator S affecting all his incoming qubits 
is not merely a technical one: one first needs to determine 
a realistic noise model in this setting. It may be possible 
using de Finetti theorems as in the proof of QKD [24 to 
prove for a symmetrized version of our protocol that any 
coherent attack by Bob is equivalent to a collective at- 
tack. One can in fact analyze a specific type of coherent 
noise, one that essentially corresponds to an eavesdrop- 
ping attack in QKD. Note that the 1-2 OT protocol can 
be seen as two runs of QKD interleaved with each other. 
The strings /(x|z + ) and f(x\z x ) are then the two keys 
generated. The noise must be such that it leaves Bob 
with exactly the same information as the eavesdropper 
Eve in QKD. In this case, it follows from the security of 
QKD that the dishonest Bob (learning exactly the same 
information as the eavesdropper Eve) does not learn any- 
thing about the two keys. 

It is an important open question whether it is possible 
to derive security bounds (or find a better OT protocol) 
which give better trade-offs between noise in the honest 
protocol and noise induced by dishonest Bob. Finally, it 
remains to address composability of the protocol within 
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our model, which has already been considered for the 
bounded-quantum-storage model |35j . 
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In this appendix, we prove the lemmas used in the main 
text. The statements are reproduced for convenience. 
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Lemma [2] Let pxe be a cq-state with uniformly dis- 
tributed X S {0, 1}" and p% = p^ ± ® . . . ® p x £^. T/ien 
f/ie maximum probability of guessing x given state pE is 
P 9 (X\pe) — T\ r ^ =1 Pg{Xi\pE i ), which can be achieved by 
measuring each register separately. 

Proof. For simplicity, we will assume that each bit is 
encoded using the same states po = p E . and p\ = p E .- 
The argument for different encodings is analogous, but 
harder to read. First of all, note that we can phrase the 
problem of finding the optimal probability of distinguish- 
ing two states as a semi-definite program (SDP) 

maximize | (Tr(M po) + ^(MiPi)) 
subject to M , Mi > 
M + Mi = I 

with the dual program 

minimize ^Tr(Q) 
subject to Q > po 

Q> pi- 

Let p* and denote the optimal values of the primal 
and dual respectively. From the weak duality of SDPs, 
we have < d*. Indeed, since Mo, Mi = 1/2 are feasible 
solutions, we even have strong duality: p* = d, |36j . 

Of course, the problem of determining the entire string 
x from p x := p x E can also be phrased as a SDP: 

maximize i Ea^o.i}™ T^(M x p x ) 
subject to Vx, M x > 

E, e{ o,i } " M * = 1 

with the corresponding dual 

minimize ^-Tr(Q) 
subject to \fx, Q > p x . 

Let p„ and d* denote the optimal values of this new pri- 
mal and dual respectively. Again, p* = d*. 

Note that when trying to learn the entire string x, we 
are of course free to measure each register individually 
and thus (p*)™ < p*. We now show that d* < (d*)" 
by constructing a dual solution Q from the optimal so- 
lution to the dual of the single-register case, Q*: Take 
Q = Qf n - Since Q* > Po and Q* > Pi it follows that 
Vi, Qf " > p x . Thus Q is satisfies the dual constraints. 
Clearly, 2" n Tr(Q) = (2" 1 Tr(Q,))™ and thus we have 
d* < (d*)™ as promised. But from (p*) n < p*, p* = d*, 
and p„ = d* we immediately have = (p*) n - d 

Lemma [3] T/ie only superoperators S: C2 — > Cfc /or 

which 

P g (X\S(a+))-P g (X\S(a x )) = l, (Al) 
are reversible. 



Proof. Using Helstrom's formula [37) we have that 
P g {Z\S{a b )) = |[1 + ||<S(o- ,6) - 5(o-i, t )|| te /2] and thus 
for A(5) = 1 we need that for both 6 {x,+}, 
||<S(o~o,&) - 5(cri,fc)||tr/2 = 1. This implies that 5(cro, 6 ) 
and S(aifi) are states which have support on orthogonal 
sub-spaces for both b. Let 5(o~o,+) = EftPfclV'fcKV'fcl an d 
5 ( cr i,+) = EfcSfclV'fe)^ I wh ere for all k,l (ip^\ipi) = 
0. Consider the purification of S(o~i.b) using an an- 
cillary system i.e. \<j>i,b) = Us\i)b\0)- We can write 
I0o,+) = Efe^lV'fe,^) and \<f> 1<+ ) = Efev^l^fc 
Hence t/s|0) x |0) = ^(|0o,+) + 101,+)) and similar for 
t^s|l)x|0). So we can write 

||«S(oo,x) - <5(o"i,x)lltx = 
ft 

For this quantity to be equal to 2 we observe that it is 
necessary that pk = qk- Thus we set pk = qk- Then 
we observe that if any of the states \4>k) (or Vjt ) are 
non-orthogonal, i.e. KV'fclV'z)! > 0, then the quantity 

IIEfcPfc(I^X^I + l^><V'fcl)lltr<2. 

Let Sk be the two-dimensional subspace spanned by 
the orthogonal vectors \ipk) and ). By the arguments 
above, the spaces 5^ are mutually orthogonal. We can 
reverse the super-operator S by first projecting the out- 
put into one of the orthogonal subspaces Sk and then 
applying a unitary operator Uk that maps \ipk) and IV^) 
onto the states |0) and □ 

Lemma 4 For any | < pi < 1 wif/i riiLiPi — P n > we 
1 n 

F n( i+ ^)^^ os(4/3)n - ( A2 ) 

Proof. With A:= log(4/3), it is easy to verify that 
Pi X +p]~ X < 2 for 1/2 <pi < 1 and therefore, 

1 n 1 n 

i=l t=l 



APPENDIX B: DEPOLARIZING NOISE 

We now evaluate maxg A(5) 2 for depolarizing noise. 
Recall that to determine this quantity, we have to find 
an uncertainty relation, Eq. Q, by optimizing over all 
possible partial measurements V as depicted in Figure [l] 

A 2 := maxA(S) 2 = max P g {X\S{a + )) ■ P g (X\S(a x )), 



10 



where S acts on a single qubit, but we drop the index i 
to improve readability. For our analysis, it is convenient 
to think of V as a partial measurement of the incoming 
qubit. Note that this corresponds to letting Bob perform 
an arbitrary CPTP map from the space of the incoming 
qubit to the space carrying the stored qubit. Further- 
more, it is convenient to consider maximizing the sum 
instead of the product of guessing probabilities 

r = mzxP g (X\S(a+)) + P g (X\S(a x )). 

This immediately gives us the bound A < T/2. In the 
following, we will use the shorthand 



P-\ 
P> 



P g (X\S(a + )), 
P g (X\S(a x )) 



for the probabilities that Bob correctly decodes the bit 
after Alice has announced the basis information. 

Any intermediate measurement V that Bob may per- 
form can be characterized by a set of measurement op- 
erators {F k } such that J2 k F k F k ~ ^ Let ^ ne post- 
measurement state when Bob measures er^b, and ob- 
tained outcome k, be af b . 

The probability that Bob succeeds in decoding the bit 
after the announcement of the basis is given by the aver- 
age of probabilities (over all outcomes A;) that conditioned 
on the fact that he obtained outcome k he correctly de- 
codes the bit. That is for b £ {+, x} 



Pb 



k 

1 1 

2 + 4 



/- 1 2 + \\\Pa\kbN{al b ) - Pi\ kb N{a^ b )\\ tT 



^Pk\b\\r{Po\kb°-Q t b- Pi\kb°-i t b) 



+(1 - r)(Po|fc& -Pi|fcfc)V 2 lltr, 



(Bl) 



where 



Pk\b = Tr(i^Oo,& 
°o,fc 



*i,b)Ft)/2 



Tr(F k 



^4) 



MFkFl) 



is the probability of obtaining measurement outcome k 
conditioned on the fact that the basis was b (and we even 
see from the above that it is actually independent of b), 
(TQ b = F k (To ; bFl/pk\ob is the post-measurement state for 
outcome k, and Po|fcfc is the probability that we are given 
this state. Definitions are analogous for the bit 1. 

We now show that Bob's optimal strategy is to measure 
in the Breidbart basis for r < 1 /^/2, and to simply store 
the qubit for r > 1 /\2. This then immediately allows us 
to evaluate A. To prove our result, we proceed in three 
steps: First, we will simplify our problem considerably 
until we are left with a single Hermitian measurement 
operator over which we need to maximize. Second, we 
show that the optimal measurement operator is diagonal 
in the Breidbart basis. And finally, we show that depend- 
ing on the amount of noise, this measurement operator 



is either proportional to the identity, or proportional to 
a rank one projector. Our individual claims are indeed 
very intuitive. 

For any measurement M — {F k }, let B{M) = p++p x 
for the measurement M, where p + a nd p^f are the suc- 
cess probabilities similar to Eq. ( |B1[ ), but restricted to 
using the measurement M. First of all, note that we 
can easily combine two measurements. Intuitively, the 
following statement says that if we choose one measure- 
ment with probability a, and the other with probability 
P our average success probability will be the average of 
the success probabilities obtained via the individual mea- 
surements: 

Claim 1 Let M x = {F^} and M 2 = {F^} be two mea- 
surements. Then B(aM\ + f3M 2 ) = aB(M 1 ) + (3B(M 2 ), 
where aM x + (3M 2 := {V^ 1 } U W$F%} for a, (3 > 
and a + (3 = 1 . 

Let F = {F k }{ =l and G = {G k } 9 k=1 be 



Proof. 

measurements, < a < 1 and M : = {\/aF k } 



f 

fe=i 



U 



— aGt}^ +1 be the measurement F with proba- 
bility a and measurement G with probability 1 — a. 
We denote by p F ,p ,p M the probabilities correspond- 
ing to measurements F, G, M respectively. Observe that 
for 1 < k < /, p™ b = \Tr(aF k Fl) = ap F ]b and 
analogously for / + 1 < k < f + g, we have pM b = 
(1 — a)p^ b . We observe furthermore that for 1 < k < f 
and x £ {0, 1}, a cancels out by the normalization, 



~k,M aF k a Xtb Fl 

a — — 



= crt'u and similarly for 



6 — n M ~ n F ~ u x.b 

f+l<k<f + g. Finally, we can convince ourselves 
that Px\ k b = Px\kb = Px\(k-f)b> as the Probability to be 
given state (Tg b is the same when the measurement out- 
come and the basis is fixed. Putting everything together, 
we obtain 



f+g 

fc=i 



i 



~k,M\ 



A \W\kb^:n-pT\kb^4 

E°pfr (\ + l M\kbN(a k f ) -p F {kb N(a k 

k=l ^ 

(1 - U)p% b - 



g 



k=f+i 



1, 



M\kbN^ k f)-pf lk bN(^4 



-k,G\ 



a Pb + (1 - a )Pb ■ 



We can now make a series of observations. 

Claim 2 Let M = {F k } and G = {I,X,Z,XZ}. Then 
for all g £G we have B(M) = B(gMg^). 

Proof. This claim follows immediately from that fact 
that for the trace norm we have ||LM.[/T|| tr = ||A|| tr for 
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all unitaries U, and by noting that for all g G G, g can at 
most exchange the roles of and 1. That is, we can per- 
form a bit flip before the measurement which we can cor- 
rect for afterwards by applying classical post-processing: 
we have for all g € G that 

AT f F k ga 0tb g^Fl \ „ ( F k g* llb gt Fj \ 
Pk\b\\Po\kbN -pi\kbN - 

\ Pk\0b J \ Pk\lb J 

AT ( F k a , b Fl \ ( F k a x , b Fl \ 

= Pk'\b\\P0\kbN ~Pi\ kb N ■ — ^ tr 

\ Pk\0b J \ Pk\lb J 

□ 

It also follows that 

Corollary 1 For all k we have for all b G {+, x} and 

g G G that 

1 1 f F k a 0lb Fl\ M fF k a ltb Fl\.. 
Po\ kb N -pi\ kb N tr 

\ Pk\0b J \ Pk\lb J 

AT ( F k gtr 0ib glFt \ AT ( F k g* llb gi F* \ , 
= \ \Po\kbN -pi\kbN 5L 

\ Pk\0b J \ Pk\lb J 

Proof. This follows from the proof of Claim [2] □ 

Claim 3 Let G = {I, X, Z, XZ}. There exists a mea- 
surement operator F such that the maximum of B(M) 
over all measurements M is achieved by a measurement 
proportional to {gFg^ \ g G G}. 

Proof. Let M = {F k } be a measurement. Let K = 
|M| be the number of measurement operators. Clearly, 
M = {F g , k } with 

1 + 

FgM = ^gF k g\ 

is also a quantum measurement since k -Fj k F g , k — li- 
lt follows from Claims [l] and § that B(M) = B(M). 
Define operators 

N g ,k = . 1 gF k g\ 

y/2Tr(F£F k ) 

Note that 

N 9,k = i 1 }Z * u Z v F\F k Z v X u = I. 

gee yj2Tr(FlF k ) „,„e{o,i} 

(see for example Hayashi [38]). Hence M k — {N 3ik } is 
a valid quantum measurement. Now, note that M can 
be obtained from Mi, . . . , Mr- by averaging. Hence, by 
Claim Q] we have 

B(M) = B(M) < max B(M k ). 



Let M* be the optimal measurement. Clearly, m = 
B(M*) < max fe B(M^) < m by the above and Corol- 
lary [T] from which our claim follows. □ 

Note that Claim [3] also gives us that we have at most 
4 measurement operators. Wlog, we will take the mea- 
surement outcomes to be labeled 1,2,3,4. 

Finally, we note that we can restrict ourselves to opti- 
mizing over positive-scmidcfinitc (and hence Hcrmitian) 
matrices only. 

Claim 4 Let F be a measurement operator, and let 
9(F) := 1 + T,b,kPk\b\\Po\bN(ao,b) ~ Pi\bN(crl yb )\\ tl . 
with (7o,6 = F(Jo ;b F' /Tr(Fao >b F') and <j\. b = 
Fa\ ib F^ /Ti(Fai }b F'). Then there exists a Hermitian 
operator F, such that g(F) = g(F). 

Proof. Let F* = FU be the polar decomposition of 
F^ , where F is positive semidefinite and U is unitary [3U1 
Corollary 7.3.3]. Evidently, since the trace is cyclic, all 
probabilities remain the same. It follows immediately 
from the definition of the trace-norm that ||[L4i7^||tr = 
||-A||tr for all unitaries U, which completes our proof. □ 

To summarize, our optimization problem can now be 
simplified to 

maxB(M) = max pi 7 + pt 1 < 

m ^ xl + ^2Pk\b\\P0\bN(o-Q yb ) -J5l|6iV((Tl,6)||tr 
b,k 

= l + 2j2\\r(F(a , b -a hb )F) 

b 

+ (l-r)Tr(F(o- ,b-cri,b)F)-\\ tT 

where the maximization is now taken over a single op- 
erator F, and we have used the fact that we can write 
Po\kb = Pk\ob/(2Pk\b) an d we have 4 measurement opera- 
tors. 



1. F is diagonal in the Breidbart basis 

Now that we have simplified our problem already con- 
siderably, we are ready to perform the actual optimiza- 
tion. Since we are in d = 2 and F is Hcrmitian, we may 
express F as 

for some state \(f>) and real numbers a, (3. We first of all 
note that from J^ k ^kF k = I, we obtain that 

TrfeW) =£Tr(F fe F fc ) = 

V k ) k 

Tr(gFgglFgl) = 4Tr(FF) = Tr(l) = 2, 

g£{I,X,Z,XZ} 
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and hence Tr(FF) 



that |0) (0| + |0- L )(0- L | = I we then have 
F = 0l+(a-0)\<f>)(<l>\, 



- 2 = 1/2. Furthermore using 



(B2) 



with (3 = \ZT — a 2 . Our first goal is now to show that \<f>) 
is a Breidbart vector (or the bit-flipped version thereof) . 
To this end, we first formalize our intuition that we may 
take |0) to lie in the XZ plane of the Bloch sphere only. 
Since we are only interested in the trace-distance term of 
B(M), we restrict ourselves to considering 



(1 -r)Tr(F((7o,6-CTi,fc)F)-|| tr . 

Claim 5 Let F be the operator that maximizes C{F), 
and write F as in Eq.(B2). Then \<p) lies in the XZ plane 



in the Bloch sphere, (i.e. Tr (FY) = 0). 

Proof. We first parametrize the state in terms of its 
Bloch vector: 



\4>M = 



I + xX + yY + zZ 



2 — z 2 . Hence, 



Since |0) is pure we can write y = \/T — x 
we can express F as 

F = - ((a + (5)1 + (a - (3)(xX + yY + zZ)) . 

Noting that ctq, + — = % an d co,x — ci,x = X we can 
compute for the computational basis 



P := r(FZF) + (1 - r)Tt(FZF) 



I 



= ^^2a 2 -^j zl + r((a~ (3) 2 xzX 
+ (a-f3) 2 yzY + {(a - (3) 2 z 2 + 2a0) Z)) , 
and for the Hadamard basis: 

T := r(FXF) + (l-r)Tr(FXF)- 

= i ^2a 2 -^j xl + r(((a- f]) 2 x 2 + 2a/3) X) 

+ (a- (3) 2 xyY + (a - (3) 2 xzZ) 

Note that ||P|| tr = J2j\^j( P )l where X 3 is the j-th 
eigenvalue of P. A lengthy computation (using Math- 
ematical and plugging in j3 = y/l/2 — a 2 and y — 
\/\ — x 2 — z 2 shows that we have 

Ai(P) = l - ((4a 2 - 1) z - r^fz 2 + 8a 2 (2a 2 - l)(z 2 - 1)) 
X 2 (P) = J ((4a 2 - 1) z + ry/z 2 + 8a 2 (2a 2 - l)(z 2 - 1)) 



Similarly, we obtain for the Hadamard basis that 
Ai(T) = i ((4a 2 - 1) x - r^ 2 + 8a 2 (2a 2 - l)(x 2 - 1)) 
A 2 (T) = i ((4a 2 - 1) x + r^ 2 + 8a 2 (2a 2 - l)(x 2 - 1)) 
We define 



f(a,x) := I n- - | I ' 

5(a,af) := ^v 7 ^ 2 + 8a 2 (2a 2 - l)(x 2 - 1). 
h(a,x,r) := |/(a, x) + rg(a, x)\ + \f(a, x) - rg(a, x)\ 
Note that our optimization problem now takes the form 

maximize h{a, x, r) + h(a, z, r) 
subject to x 2 + z 2 < 1 

< x < 1 

< z < 1, 

where we can introduce the last two inequality con- 
straints without loss of generality, since the remaining 
three measurement operators will be given by XFX, 
ZFZ, and XZFZX. 

To show that we can let y — for the optimal solution, 
we have to show that for all a and all r, the function 
h(a,x,r) is increasing on the interval < x < 1 (and 
indeed Mathematica will convince you in an instant that 
this is the case). Our analysis is further complicated by 
the absolute values. We therefore first consider 

h(a, x, r) 2 = 2(/(a, x) 2 +r 2 g(a, x) 2 +\f(a, x) 2 -r 2 g(a, x) 2 \ 

where we have used the fact that / and g are real 
valued functions. In principle, we can now analyze 
h + (a,x,r) 2 = 2(f(a,x) 2 + r 2 g(a,x) 2 + f{a,x) 2 - 
r 2 g(a,x) 2 and h_(a,x,r) 2 — 2(f(a,x) 2 + r 2 g(a,x) 2 — 
f(a,x) 2 + r 2 g(a,x) 2 separately on their respective do- 
mains. By rewriting, we obtain 



h+(a, x, r) 2 = -r 2 (x 2 + 8a 2 (2a 2 - l)(ir 2 - 1)), 



and 



h^(a,x,r) — 4 — -| 

Luckily, the first derivatives of h+ and h_ turns out 
to be positive everywhere for our choice of parameters 
< a < l/v2 5 and < r, z < 1. Hence, by further in- 
spection at the transitional points we can conclude that 
h is an increasing function of x. But this means that to 
maximize our target expression, we must choose x and z 
as large as possible. Hence, choosing y — is the best 
choice and our claim follows. □ 

We can now immediately extend this analysis to find 
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Claim 6 Let F be the operator that maximizes C{F), 
and write F as in Eq. (B2). Then 



|^)= 5 (cos(7r/8)|0) + sin(7r/8)|l)), 
for some g £ {I, X, Z, XZ}. 

Proof. Extending our analysis from the previous proof, 
we can compute the second derivative of both functions. 
It turns out that also the second derivatives are positive, 
and hence h is convex in x. By Claim [5] we can rewrite 
our optimization problem as 



maximize h(a, x, r) + h(a, z, r) 
1 

< x < 1 
< z < 1 



subject to x 2 + z 2 



It now follows from the fact that h is convex in x and 
the constraint x 2 + z 2 = 1 (by computing the Lagrangian 
of the above optimization problem) , that for the optimal 
solution we must have x = z, and our claim follows. □ 



Note that our optimization problem now takes the form 



maximize 2/i(a,r) 
subject to < a < ^ 

Since we are maximizing, we might as well consider the 
square of our target function and ignore the leading con- 
stant as it is irrelevant for our argument. 

h(a, r) 2 = 2(f(a) 2 + r 2 g(a) 2 + \f(a) 2 - r 2 g(a) 2 \, 

To deal with the absolute value, we now perform a case 
analysis similar to the one above. Computing the ze- 
ros crossings of the function /(a) 2 — r 2 g(a) 2 , we analyze 
each interval separately. Computing the first and sec- 
ond derivatives on the intervals we find that h(a, r) 2 has 
exactly two peaks: The first at a = 0, and the second 
at a = 1/2. We have that h(0,r) 2 — 2 for all r, and 
h(l/2,r) 2 = At 2 . Hence, we immediately see that the 
maximum is located at a = for r < 1 /V2, and at 
a = 1/2 for r > 1 /y/2. □ 



2. Optimality of the trivial strategies 

Now that we have shown that F is in fact diagonal in 
the Breidbart basis (or the bit flipped version thereof) 
we have only a single parameter left in our optimization 
problem. We must now optimize over all operators F of 
the form 

F = a\cj>m+ VV2-« 2 |^)(^|, 

where we may take \4>) to be |0)s or |l)s. Our aim is 
now to show that either F is the identity, or F = \4>)(4>\ 
depending on the value of r. 

Claim 7 Let F be the operator that maximizes C{F). 
Then F = cl (for some c£ Ij for r > 1/^/2, and F = 
\<j>){<j>\ forr < l/\/2, wh err 

|^)= fl (cos(7r/8)|0) + Bin(7r/8)|l)), 

for some g € {I, X, Z, XZ}. 

Proof. We can now plug in x = z = \j\f2 in the 
expressions for the eigenvalues in our previous proof. Ig- 
noring the constant factors which do not contribute to 
our argument, we can then write 

Ai(P) = (4a 2 - 1) - ry/l - 16a 4 + 8a 2 
A 2 (P) = (4a 2 - 1) + ry/l - 16a 4 + 8a 2 



Hence, we may conclude that Bob either measures in 
the Breidbart basis, or stores the qubit as is, and Theo- 
rem [2] follows. 

We believe that a similar analysis can be done for the 
dephasing channel, by first symmetrizing the noise by 
applying a rotation over tt/A to our input states. 



And similarly for the Hadamard basis. We again define 
functions 

/(a) := (4a 2 - l) 

g(a) := \fl - 16a 4 + 8a 2 
h(a,r) := \f(a,x) + rg(a,x)\ + \f(a,x) - rg(a,x)\ 



